book by mnm m

SUSE LINUX Security

COURSE 3058

Novell Training Services SELF-STUDY WORKBOOK

Version 1

w w w. n o v e l l . c o m

Proprietary Statement

Trademarks

Novell, Inc. has attempted to supply trademark information about company names, products, and services mentioned in this manual. The following list of trademarks was derived from various sources.

No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express prior consent of the publisher. This manual, and any portion thereof, may not be copied without the express written permission of Novell, Inc. Novell, Inc. 1800 South Novell Place Provo, UT 84606-2399

Disclaimer Novell, Inc. makes no representations or warranties with respect to the contents or use of this manual, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes in its content at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any NetWare software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of NetWare software at any time, without obligation to notify any person or entity of such changes. This Novell Training Manual is published solely to instruct students in the use of Novell networking software. Although third-party application software packages are used in Novell training courses, this is for demonstration purposes only and shall not constitute an endorsement of any of these software applications. Further, Novell, Inc. does not represent itself as having any particular expertise in these application software packages and any use by students of the same shall be done at the students’ own risk.

Software Piracy Throughout the world, unauthorized duplication of software is subject to both criminal and civil penalties. If you know of illegal copying of software, contact your local Software Antipiracy Hotline. For the Hotline number for your area, access Novell’s World Wide Web page at http://www.novell.com and look for the piracy page under “Programs.” Or, contact Novell’s anti-piracy headquarters in the U.S. at 800-PIRATES (7472837) or 801-861-7101.

Novell, Inc. Trademarks NetWare, the N-Design, and Novell are registered trademarks of Novell, Inc. in the United States and other countries. CNA, CDE, CNI, NAEC, and Novell Authorized Education Center are service marks and CNE is a registered service mark of Novell, Inc. in the United States and other countries. ConsoleOne, DirXML, and eDirectory are trademarks of Novell, Inc. GroupWise is a registered trademark of Novell, Inc. Hot Fix, and IPX is a trademark of Novell, Inc. NDS, Novell Directory Services, and NDPS are registered trademarks of Novell, Inc. NetWire is a registered service mark of Novell, Inc. in the United States and other countries. NLM and Novell Certificate Server are trademarks of Novell, Inc. Novell Client, Novell Cluster Services, and Novell Distributed Print Services are trademarks of Novell, Inc. ZENworks is a registered trademark of Novell, Inc.

Other Trademarks Adaptec is a registered trademark of Adaptec, Inc. AMD is a trademark of Advanced Micro Devices. AppleShare and AppleTalk are registered trademarks of Apple Computer, Inc. ARCserv is a registered trademark of Cheyenne Software, Inc. Btrieve is a registered trademark of Pervasive Software, Inc. EtherTalk is a registered trademark of Apple Computer, Inc. Java is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. LocalTalk is a registered trademark of Apple Computer, Inc. Lotus Notes is a registered trademark of Lotus Development Corporation. Macintosh is a registered trademark of Apple Computer, Inc. Netscape Communicator is a trademark of Netscape Communications Corporation. Netscape Navigator is a registered trademark of Netscape Communications Corporation. Pentium is a registered trademark of Intel Corporation. Solaris is a registered trademark of Sun Microsystems, Inc. The Norton AntiVirus is a trademark of Symantec Corporation. TokenTalk is a registered trademark of Apple Computer, Inc. Tru64 is a trademark of Digital Equipment Corp. UNIX is a registered trademark of the Open Group. WebSphere is a trademark of International Business Machines Corporation. Windows and Windows NT are registered trademarks of Microsoft Corporation.

Contents

SUSE LINUX Security Self-Study Workbook

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1 SUSE LINUX Enterprise Server 9 Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . Intro-2 Access the SUSE LINUX Enterprise Server 9 as a VMware Server . . . . . . . . . . . . . . Intro-2 Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST . . . . . . Intro-8

Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-11 SECTION 2

Host Security Exercise 2-1 Install SLES 9 with a Customized Partition Scheme. . . . . . . . . . . . . . . . . . . . . 2-2 Exercise 2-2 Change PAM Configuration to Disable Graphical Root Login. . . . . . . . . . . . . 2-6 Exercise 2-3 Subscribe to the SUSE Security Announcements . . . . . . . . . . . . . . . . . . . . . . . 2-8 Exercise 2-4 Use nmap to Scan for Open Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Exercise 2-5 Run a nessus Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

SECTION 3

Cryptography: Basics and Practical Application Exercise 3-1 Create a CA and Certificates on the Command Line. . . . . . . . . . . . . . . . . . . . . 3-2 Exercise 3-2 (optional) Create a Root CA and Certificates Using YaST . . . . . . . . . . . . . . . . 3-5 Exercise 3-3 (optional) Work with GPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

SECTION 4

Network Security Exercise 4-1 Configure the TCP Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Exercise 4-2 Use stunnel to Secure POP3 with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

SECTION 6

Packet Filters Exercise 6-1 Get Familiar with Basic iptables Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Exercise 6-2 Modify the Script to Set and Delete iptables Rules . . . . . . . . . . . . . . . . . . . . . 6-15 Exercise Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

1-1

SUSE LINUX Administration/Self-Study Workbook

SECTION 7

Application-level Gateway Exercise 7-1 Install and Configure Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Exercise 7-2 Configure SSL in Squid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 Exercise 7-3 Configure Proxy Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Exercise 7-4 Configure Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14 Exercise 7-5 Analyze Squid Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17 Exercise 7-6 Use Dante. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19 Exercise 7-7 Configure rinetd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25

SECTION 8

Virtual Private Networks Exercise 8-1 Establish a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Exercise 8-2 (optional) Create a VPN Configuration Using YaST . . . . . . . . . . . . . . . . . . . . 8-6 Exercise 8-3 (optional) Filter IPSec Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

SECTION 9

Intrusion Detection and Incident Response Exercise 9-1 Log to a Remote Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Exercise 9-2 Use Argus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

SECTION 10

LifeFire Exercise

Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

1-2

Section 1

Set Up the Application-Level Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Section 2

Set Up the Screening Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Section 3

Set Up a Web Server in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Section 4

Set Up the Mail Server in the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Section 5

Set Up the VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

SUSE LINUX Security Self-Study Workbook

This workbook is designed to help you practice the skills associated with Course 3058 (SUSE LINUX Security) objectives outside of a classroom.

Introduction The skills introduced in this workbook are critical for performing administrative tasks with regard to security with SUSE LINUX Enterprise Server 9, and are necessary for passing the Novell CLE9 (CertiďŹ ed Linux Engineer) practicum. The exercises in this workbook are the same as those included in your Course 3058 SUSE LINUX Security manual, but with modiďŹ cations and notes to help you perform the exercises on a single computer without relying on an instructor or partner SUSE LINUX Enterprise Server 9 server.

Version 1

If you experience any problems using the SUSE LINUX Enterprise Server 9 VMware Server DVD or the Self-Study Workbook, please email your questions or comments to EDCustomer@novell.com.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook Intro-1

SUSE LINUX Security/Self-Study Workbook

SUSE LINUX Enterprise Server 9 Setup Instructions Before starting the exercises in this workbook, you need to set up a SUSE LINUX Enterprise Server 9 server with the same conﬁguration as that provided in the classroom. There are two solutions provided for you: ■

“Access the SUSE LINUX Enterprise Server 9 as a VMware Server” on Intro-2

■

“Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST” on Intro-8

Access the SUSE LINUX Enterprise Server 9 as a VMware Server If you want to avoid dedicating a computer to a SUSE LINUX Enterprise Server 9 installation, you can use the SUSE LINUX Enterprise Server 9 VMware virtual server provided on the SUSE LINUX Enterprise Server 9 VMware Server DVD. The following guides you through installing and using the SUSE LINUX Enterprise Server 9 VMware server:

Workbook Intro-2

■

Check Setup Prerequisites

■

Install the SUSE LINUX Enterprise Server 9 VMware Server

■

Configure the SUSE LINUX Enterprise Server 9 VMware Server

■

Start the SUSE LINUX Enterprise Server 9 VMware Server

■

VMware Workstation Tips

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

SUSE LINUX Security Self-Study Workbook

Check Setup Prerequisites

The following items are required to run the SUSE LINUX Enterprise Server 9 VMware server on your computer: Table Intro-1

Item

Requirement

Memory

256 MB RAM (minimum)

Hard Drive Space

3.4 GB

DVD-ROM Drive

For reading the SUSE LINUX Enterprise Server 9 Self-Study Server DVD and other CDs required for the exercises.

Software

VMware Workstation 5 or later (Windows or Linux)

SUSE LINUX Enterprise Server 9 Self-Study Server DVD

Contains the SUSE LINUX Enterprise Server 9 VMware Server ﬁles

Although you can run the SUSE LINUX Enterprise Server 9 VMware server with 256 MB of RAM, processing time for performing some Linux administration tasks (such as using YaST) can be signiﬁcantly reduced by increasing memory for the VMware server. If you do not own a copy of VMware Workstation (or have a version earlier than 5), you can download and install a VMware Workstation 5 30-day evaluation copy from www.vmware.com.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook Intro-3

SUSE LINUX Security/Self-Study Workbook

Install the SUSE LINUX Enterprise Server 9 VMware Server

Once you have VMware Workstation 5 installed on your host computer, do the following to install the SUSE LINUX Enterprise Server 9 VMware server: 1.

Insert the SUSE LINUX Enterprise Server 9 Self-Study Server DVD in your DVD-ROM drive.

Copy the VMware server files on the DVD to a directory on your hard drive. We recommend creating a speciďŹ c directory (such as /tmp/vmware/SLES9_3058) to store the ďŹ les.

Start VMware Workstation 5.

Select File > Open ...

Browse to and open the sles.vmx file. The SLES9_3058 VMware server opens in VMware Workstation and is ready to start.

Some exercises require a second computer. Create a second VMware machine by creating another directory (like /tmp/vmware/SLES9_3058-2) on the VMware host and repeat Steps 2 - 5. To avoid mixing up the machines, you could give the second machine another hostname.

Workbook Intro-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

SUSE LINUX Security Self-Study Workbook

Conﬁgure the SUSE LINUX Enterprise Server 9 VMware Server

Before starting SUSE LINUX Enterprise Server 9, do the following: 1.

Select VM > Settings. A Virtual Machine Settings dialog appears. From this dialog you can adjust the settings for several devices such as memory, ﬂoppy drive, and network adaptor before starting the virtual server.

Check the following device settings: ❑

Memory. This memory setting indicates the amount of memory used by the SUSE LINUX Enterprise Server 9 virtual server on the host computer. Although you can run the SUSE LINUX Enterprise Server 9 virtual server with 256 MB of memory, we recommend increasing the amount (when possible) to increase the speed of certain administrative tasks (such as starting X Window or using the GUI version of YaST).

❑

DVD/CD-ROM. This is the DVD drive on your host computer, and should be set as a physical drive. We recommend leaving the default setting at “auto detect” for Windows. If you are running VMware Workstation on Linux, enter the device name of the DVD drive (such as /dev/hdc). You can normally select the device name from the drop-down list for the Device ﬁeld.

❑

Floppy Drive. This is the ﬂoppy drive on your host computer. The default is set to “A:” for a Windows computer. If you are running VMware Workstation on Linux, change the setting to the device for the ﬂoppy drive (such as /dev/fd0).

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook Intro-5

SUSE LINUX Security/Self-Study Workbook

❑

Network Adaptor. The “NAT” network connection default setting provides a VMware Workstation DHCP server for the SUSE LINUX Enterprise Server 9 server (which is conﬁgured to use DHCP). While you can select another setting (such as “Bridged”), these have not been tested and can cause problems completing the exercises. We recommend keeping the default “NAT” setting.

The rest of the settings should work properly to provide you with the access you need to devices for USB, sound, and mouse control. If not, return to this dialog to make the necessary adjustments to the settings. 3.

When you finish reviewing the virtual server configuration, save any changes and close the dialog by selecting OK. During the exercises, you use Ctrl + Alt to access features such as terminal consoles. VMware Workstation also uses this hot key combination to switch you out of the virtual server to the host machine.

To change the VMware hot key configuration, select Edit > Preferences. A Preferences dialog appears.

Select the Hot keys tab; then select the Ctrl-Shift-Alt option. Once you start the SUSE LINUX Enterprise Server 9 VMware server, you can press Ctrl + Shift + Alt to access the host machine, including the VMware Workstation menu options.

Workbook Intro-6

Save the change by selecting OK.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

SUSE LINUX Security Self-Study Workbook

Start the SUSE LINUX Enterprise Server 9 VMware Server

Do the following: 1.

Start the SUSE LINUX Enterprise Server 9 VMware server by selecting the Power On Button (or select Start this virtual machine).

The SUSE LINUX Enterprise Server 9 server starts booting.

(conditional) If you cannot see the entire SUSE LINUX Enterprise Server 9 window on your monitor, select the VMware Workstation full screen mode. After starting the SUSE LINUX Enterprise Server 9 services, a blank screen is displayed while the X Window GUI interface is loaded. Depending on the amount of memory allocated to the virtual server, loading the GUI interface can take almost a minute.

The VMware Tools package enhances the graphics resolution and color depth capabilities of your virtual server. This package is already installed in the SUSE LINUX Enterprise Server 9 VMware image on the Student CD. No action is needed on your part to install it.

Click in the virtual server window to switch keyboard and mouse functionality from the host computer to the virtual server. You are ready to start Exercise 2-2 Change PAM ConďŹ guration to Disable Graphical Root Login. (Exercise 2-1 Install SLES 9 with a Customized Partition Scheme is not needed if you use the VMware image as above.)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook Intro-7

SUSE LINUX Security/Self-Study Workbook

VMware Workstation Tips

Although we rely on your experience with VMware Workstation to complete the exercises in a virtual server environment, the following are some tips that can help you when using the SUSE LINUX Enterprise Server 9 virtual server: ■

If you cannot use the keyboard to enter text, try selecting the virtual server window with the mouse or try pressing Shift + Tab.

■

If you need to switch keyboard and mouse focus from the virtual server to the host computer, press Ctrl + Shift + Alt; then select the virtual window again to switch focus back.

■

If you want to save a copy of the SUSE LINUX Enterprise Server 9 virtual server before continuing on with an exercise or the next exercise, use the Snapshot feature (VM > Snapshot > Take Snapshot).

■

Before powering off the SUSE LINUX Enterprise Server 9 virtual server, make sure you shut down the server to avoid any problems caused by not shutting down the server cleanly.

Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST If you want to install the SUSE LINUX Enterprise Server 9 student server on an available computer, the 3058_Course_CD includes an AutoYaST ﬁle (/setup/student.xml) that automatically conﬁgures SUSE LINUX Enterprise Server 9 for you during installation. All you need to do is swap CDs during the installation.

Workbook Intro-8

By installing SUSE LINUX Enterprise Server 9 with AutoYaST, you remove the existing operating system and all ﬁles on your hard drive. Before starting the installation, make sure you back up any important ﬁles you want to keep.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

SUSE LINUX Security Self-Study Workbook

To install and conﬁgure SUSE LINUX Enterprise Server 9 on your computer with AutoYaST, do the following: 1.

Check to make sure your computer meets the following hardware requirements: ❑

A Pentium® III or AMD 750 Mhz or faster computer

❑

512 MB RAM (256 minimum)

❑

20 GB hard disk

❑

CD-ROM drive

Internet access is optional for completing the exercises. 2.

Copy the file student.xml (on your 3058 Setup CD) to the root of a floppy diskette.

Boot the server from SUSE LINUX Enterprise Server 9 CD 1.

When the GRUB installation screen appears, highlight the Installation option. You have 20 seconds to highlight the option before GRUB boots from the hard drive.

Set the display resolution by pressing F2; then select a display resolution of at least 1024x768. If a resolution of 1024x768 is not available, select the highest resolution available (such as 640x480).

Insert the floppy diskette with the file student.xml into the server diskette drive.

In the Boot Options field (bottom of the screen), type the following: autoyast=floppy:///student.xml Make sure you enter 3 forward slashes (///) or the installation program will not be able to find the file student.xml.

Version 1

When you are ready to begin installation, press Enter.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook Intro-9

SUSE LINUX Security/Self-Study Workbook

The kernel loads and the SUSE LINUX Enterprise Server 9 installation program detects the available hardware. A Novell Software License Agreement dialog appears. YaST takes care of accepting this agreement and interfacing with all other dialogs during installation. 9.

At certain points, YaST requests a particular SUSE LINUX Enterprise Server 9 installation CD. Insert the requested SUSE LINUX Enterprise Server 9 CD; then continue by selecting OK. Continue swapping CDs as indicated by the YaST installation program. The installation screen keeps you updated on the installation progress (time remaining and percentage completed). After copying files from the CDs, YaST performs tasks such as updating the configuration, copying files to the installed system, installing the boot manager, and preparing for an initial system boot. When these tasks are completed, YaST reboots the system.

10. Remove the student.xml diskette and the last SUSE LINUX

Enterprise Server 9 CD from the computer drives, and then wait for the system to boot. After the system automatically reboots and ﬁnishes conﬁguring, a GUI login screen appears. 11. Log in as geeko with a password of N0v3ll (a zero, not an

uppercase O).

Workbook Intro-10

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

SUSE LINUX Security Self-Study Workbook

Scenario The Digital Airlines management has made the decision to secure access from the local networks to the Internet with firewalls consisting of packet filters and application level gateways. The Digital Airlines offices will be connected using a VPN based on IPSec. To implement various components of this network topology, you need additional experience in the following areas: ■

System administration with a strong focus on security

■

Using cryptography to secure network services

■

Setting up packet filters

■

Setting up application-level gateways

■

Connecting networks using VPN technology

You decide to set up test servers in the lab to enhance your skills in these areas.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook Intro-11

SUSE LINUX Security/Self-Study Workbook

Workbook Intro-12

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Host Security

SECTION 2

Host Security

In this section of the workbook, you learn how to do the following:

Version 1

■

“Install SLES 9 with a Customized Partition Scheme” on 2-2

■

“Change PAM Configuration to Disable Graphical Root Login” on 2-6

■

“Subscribe to the SUSE Security Announcements” on 2-8

■

“Use nmap to Scan for Open Ports” on 2-9

■

“Run a nessus Scan” on 2-10

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 2-1

SUSE LINUX Security/Self-Study Workbook

Exercise 2-1 Before you start to work on this exercise, think about which partitioning scheme makes sense to use for which server purpose.

Install SLES 9 with a Customized Partition Scheme The purpose of this exercise is to show how security can be improved by selecting an appropriate partitioning scheme for the harddisk. During the exercises of this section, you will install the SLES9 server you will be using during the rest of the course. As this exercise assumes you are familiar with installation of SLES 9 in general, not every single step is described. To partition the hard disk, do the following: 1.

Turn on your machine and insert SLES 9 CD 1 in the CD ROM drive. Select Installation in the installation menu.

Follow the installation workflow until the Installation Settings screen appears.

Remove any partitions from the hard drive by doing the following: a.

Select Partitioning.

Select Create custom partition setup; then select Next.

Select Custom Partitioning -- for experts; then select Next.

d. Remove any existing partitions by selecting the device /dev/hda; then select Delete. A dialog appears asking if you really want to delete all the partitions on /dev/hda. e.

ConďŹ rm the deletion by selecting Yes. All partitions are removed from the list.

Workbook 2-2

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Host Security

Create new partitions according to the partitioning scheme which has been outlined by the instructor. If you are a self study student, you can use the following scheme: ❑

swap (1GB)

❑

/ (3GB)

❑

/usr (3GB)

❑

/opt (3GB)

❑

/var (2GB)

❑

/tmp (2GB)

❑

/home (1GB)

❑

/srv (Rest of the harddisc)

The sizes will vary depending on the disk space available and the purpose of the server. The following is the basic procedure to create partitions in the expert partitioner:

Version 1

Select Create.

Choose Primary Partition or Extended Partition. (You can create the first three partitions as Primary Partitions. Then you need to create one Extended Partition. In this Extended Partition you can then create further Logical Partitions.)

Select the Format checkbox and choose a filesystem. Select Swap for the swap partition and Reiser for all other partitions.

Adjust the End Cylinder Value. Type for example +3GB for a 3GB partition.

Select a mount point for the partition according to your partitioning scheme. You don’t have to select a Mount Point for the Swap partition.

Select OK, and start again with step1 for the next partition.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 2-3

SUSE LINUX Security/Self-Study Workbook

When you have created all partitions, close the Expert Partitioner and return to the Installation Settings overview.

In the Installation Settings overview window select Software. a.

Select Minimum graphical system (without KDE) and then Detailed selection

If you prefer to use a desktop environment select KDE or GNOME.

Select Analyzing Tools, as you will be using several of these during the course.

d. Select Accept. 7.

If a Automatic Changes dialog pops up, select Continue. Note: You will install further packages during this course to perform the exercises.

Software installation takes some time. 8.

Once all settings have been made in the Installation Settings dialog, select Accept and then Yes, install.

Proceed with the installation: There is no need to create a CA at this point, as this will be done later in the course. Therefore, select Skip conďŹ guration at this point. Do not activate LDAP, use local authentication. When prompted for the root password, select Expert Options and choose the encryption type BlowďŹ sh. Use novell as root password for the purpose of this course. Create a user geeko with the password N0v3ll. Unless the instructor tells you otherwise, use DHCP in the networking setup; domainname is digitalairlines.com; use 10.0.0.254 as default gateway.

Workbook 2-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Host Security

When done with the installation, log in to the graphical user interface as geeko. (End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 2-5

SUSE LINUX Security/Self-Study Workbook

Exercise 2-2

Change PAM Configuration to Disable Graphical Root Login In this exercise, you change the PAM conﬁguration by doing the following: 1.

Log out of the KDE desktop environment.

When the KDM login screen appears, log in with the following: ❑

Username: root

❑

Password: novell

Notice that you can log in as root without a root entry in the login screen. 3.

Log out again from the KDE desktop environment.

Open a terminal window and su to root.

Open the file /etc/pam.d/xdm in a text editor.

Add the following as the second line of the file: auth

required

pam_securetty.so

Save and close the file.

Log out and try to log in as root user at the KDM login screen again. The root login is denied.

10. Log in as geeko again.

If you cannot log in as geeko, restart the X server by pressing Ctrl + Alt + Backspace and try again. You might also need to reboot your server. 11. Open a terminal window and su to root.

Workbook 2-6

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Host Security

12. Open the file /etc/pam.d/xdm in a text editor and remove or

comment out the following line (the line you added): auth

required

pam_securetty.so

13. Save and close the file. 14. Log out and try to log in as root at the KDM login screen again.

You can now log in as root.

If you cannot log in as root, restart the X-server using Ctrl + Alt + Backspace and try again. 15. Log out of the KDE desktop environment and log back in as

geeko. (End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 2-7

SUSE LINUX Security/Self-Study Workbook

Exercise 2-3

Subscribe to the SUSE Security Announcements In this exercise, you subscribe to the SUSE security mailing list. This means that Novell/SUSE will inform you by email about current security issues of SUSE Linux products. If you don't want to receive these messages, skip this exercise. Do the following: 1.

From the KDE start menu, select Internet > Web Browser.

In the address bar of the browser, enter the following: http://www.suse.com/en/business/mailinglists.html

Scroll down to the entry suse-security-announce; then select the check box for that entry.

Scroll down to the bottom of that page. In the E-mail Address field, enter your email address.

Subscribe to the list by selecting OK.

Close the web browser window.

(End of Exercise)

Workbook 2-8

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Host Security

Exercise 2-4

Use nmap to Scan for Open Ports The purpose of this exercise is to familiarize you with nmap and port scans. You will work with another student in this exercise. Do the following: 1.

Open a terminal window an sux - to root with a password of novell.

Perform a TCP connect scan on the computer of your partner by entering the following command: nmap -sT <host_of_partner>. Compare the result with the output of netstat -patune on his or her computer.

Start Ethereal by typing ethereal.

Select Capture > Start.

Select OK.

Let your partner scan your computer with nmap.

Select Stop in the ethereal capture dialog.

Have a look at the packet list in ethereal. Can you identify the packets nmap used for the port scan?

(End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 2-9

SUSE LINUX Security/Self-Study Workbook

Exercise 2-5

Run a nessus Scan The purpose of this exercise is to show you how to set up nessusd and nessus client to scan hosts in the network. You will work with a partner. Do the following: 1.

Open a terminal window an sux - to root with a password of novell.

Create a certificate for the nessusd and add a user who might access nessusd by entering: nessus-mkcert nessus-adduser Answer any questions appropriately. Use geeko as the user to add. When prompted to enter rules within the adduser-script press CTRL-D without entering any rules.

Start nessusd by entering: rcnessussd start

Start the user interface by entering nessus

Enter the IP address of your partnerâ&#x20AC;&#x2122;s computer as the target host and scan it.

View the report by selecting the entries shown in the report window.

(End of Exercise)

Workbook 2-10

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Cryptography: Basics and Practical Application

SECTION 3

Cryptography: Basics and Practical Application

In this section of the workbook, you learn how to do the following:

Version 1

■

“Create a CA and Certificates on the Command Line” on 3-2

■

“(optional) Create a Root CA and Certificates Using YaST” on 3-5

■

“(optional) Work with GPG” on 3-6

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 3-1

SUSE LINUX Security/Self-Study Workbook

Exercise 3-1 The certificates created in this exercise are used later in the Network Security section of this course.

Create a CA and Certiﬁcates on the Command Line The purpose of this exercise is to familiarize you with the openssl command. The certiﬁcates created in this exercise can be used in an exercise in the next section. Do the following:

Complete the exercise succesfully and do not delete the certificates after the exercise.

Open a terminal window and su - to root with a password of novell.

Create the necessary directory structure in root’s home directory, (using your hostname instead of daxx) and change the permissions for the private directory: mkdir -p DAxx-ca/{certs,newcerts,private,crl} cd DAxx-ca chmod 700 private

Workbook 3-2

Edit the file /etc/ssl/openssl.conf with a text editor and change variables and company entries appropriately, like /root/DAxx-CA for dir and Digitalairlines as company

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Cryptography: Basics and Practical Application

The following is the example for the system da10. Please adjust your settings to your environment.. # This definition # defined. HOME = ... dir = certs = crl_dir = database = unique_subject =

stops the following lines choking if HOME isn't /root/DA10-CA

new_certs_dir

/root/DA10-CA # Where everything is kept $dir/certs # Where the issued certs are kept $dir/crl # Where the issued crl are kept $dir/index.txt # database index file. yes # Set to 'no' to allow creation of # several certificates with same # subject. = $dir/newcerts # default place for new certs.

certificate serial #crlnumber

= $dir/da10-cacert.pem = $dir/serial = $dir/crlnumber

# The CA certificate # The current serial number # the current crl number # must be commented out to leave a

V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/da10-cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file ... [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = de countryName_min = 2 countryName_max = 2 stateOrProvinceName stateOrProvinceName_default

= State or Province Name (full name) = Bavaria

localityName localityName_default ...

= Locality Name (eg, city) = Munich

To create the self-signed root certificate of your CA, enter openssl req -newkey rsa:2048 -x509 -days 3650 \ -keyout private/daxx-cakey.pem -out daxx-cacert.pem Answer the questions.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 3-3

SUSE LINUX Security/Self-Study Workbook

To view the certificate, entering: openssl x509 -in daxx-cacert.pem -text

To create the files index.txt and serial, enter touch index.txt ; echo 01 > serial

To create a certificate signing request for your machine, enter openssl req -new -keyout private/daxx_prv_key.pem \ -out certs/daxx_req.pem -days 365 Answer the questions.

The sequence of -out and -infiles is important. If -infiles is first, you get a not too helpful error message.

To sign the certificate signing request and create the certificate, enter openssl ca -policy policy_anything -notext \ -out certs/daxxcert.pem -inďŹ les certs/daxx_req.pem

View the files index.txt and serial with cat.

10. Repeat steps 7â&#x20AC;&#x201C;9 to create another certificate for

server.digitalairlines.com. 11. To revoke the certificate just created and create a certificate

revocation list enter openssl ca -revoke certs/servercert.pem openssl ca -gencrl -out crl/daxx-crl.pem 12. View the files index.txt and serial with cat. (End of Exercise)

Workbook 3-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Cryptography: Basics and Practical Application

Exercise 3-2

(optional) Create a Root CA and CertiďŹ cates Using YaST The purpose of this exercise is to teach you how to manage a CA using YaST. Just a rough outline of steps is given here. Do the following: 1.

Start a terminal window and sux - to root with a password of novell.

Start the YaST CA Management module by entering yast2 ca_mgm

Select Create Root CA and follow the steps of the wizard to create a root CA. Use values of your choice to ďŹ ll in the dialogs.

Enter the root CA you just created.

Export the CA certificate to a file.

Create a server certificate.

Export the server certificate.

(End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 3-5

SUSE LINUX Security/Self-Study Workbook

Exercise 3-3

(optional) Work with GPG The purpose of this exercise is to familiarize you with some of the features of GPG and how keys are managed to exchange encrypted mail. Work with a partner to exchange keys and exchange encrypted mails or ﬁles. Do the following: 1.

Open a terminal window and create a public/private GPG-key pair by entering gpg --gen-key You have to answer several questions; the defaults will do for this exercise. When creating your personal key pair you might want to choose 2048 bits for the key length. Make sure that you remember the Real name you enter during the key creation process.

To export your public key to a file, enter gpg -a --export “real name” > name.asc Choose a resonable name for the key ﬁle. Transfer this ﬁle to your partner using scp.

To import the public key of your partner, enter gpg --import partners_name.asc

No mail service is set up in the course room, so you will encrypt and transfer a file instead of mailing it. Write a message to a file, such as echo Hello, how are you > textﬁle

To encrypt that file, enter gpg -ea textﬁle

Workbook 3-6

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Cryptography: Basics and Practical Application

You are prompted to enter a user ID. The name that is part of the key will do, or use the hexadecimal ID of the key if there are several keys with the same name. 6.

View the file textfile.asc using cat.

Transfer the file to your partner, get his encrypted file to your computer, using a descriptive filename to avoid overwriting each others files.

To decrypt the file, enter gpg filename.asc ; cat filename To view the decrypted file directly on the screen, you can use gpg -o - filename

Sign the file with gpg --clearsign textﬁle

10. Verify the signature with

gpg textﬁle.asc 11. Load the file textfile.asc in vi and alter one letter of the message.

Save the changes and close vi. Verify the signature again. (End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 3-7

SUSE LINUX Security/Self-Study Workbook

Workbook 3-8

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Network Security

SECTION 4

Network Security

In this section of the workbook, you learn how to do the following:

Version 1

■

“Configure the TCP Wrapper” on 4-2

■

“Use stunnel to Secure POP3 with SSL” on 4-5

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 4-1

SUSE LINUX Security/Self-Study Workbook

Exercise 4-1

Conﬁgure the TCP Wrapper In this exercise you work with a partner to practice conﬁguring the TCP wrapper. The exercise consists of the following parts: ■

Part I: Secure the FTP Service

■

Part II: Configure a Twist

■

Part III: Configure Logging

Part I: Secure the FTP Service

In this part of the exercise, you secure the FTP service so that everyone in the classroom except your partner can access the FTP server on your system. Do the following: 1.

Use YaST to install the package vsftpd.

Open a terminal window and su to the root user.

Open the file /etc/xinetd.d/vsftpd with a text editor.

Make sure the line disable = yes starts with a # character.

Save and close the file.

Restart xinetd with the command rcxinetd restart.

Open the file /etc/hosts.deny in a text editor.

Add the following to the end of the file:

vsftpd : IP_of_partner

10. Save the file. 11. Have your partner attempt to ftp to your system; then have

another student in the classroom attempt to ftp to your host. 12. The connection for your partner is closed. However, others can

ftp to your server.

Workbook 4-2

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Network Security

13. Place a comment character (#) in front of the line you just added

to the file /etc/hosts.deny; then add the following line: ALL:ALL 14. Save the file and close the editor. 15. Set the same security restriction by editing the file

/etc/hosts.allow: Open the file /etc/hosts.allow in a text editor. 16. Add the following to the end of the file:

vsftpd : ALL EXCEPT IP-of-partner 17. Save and close the file. 18. Have your partner try to ftp to the system; then have another

student in the classroom attempt to ftp to your host. The results should be the same as with the ﬁle hosts.deny.

Part II: Conﬁgure a Twist

In this part of the exercise you conﬁgure TCP wrapper to execute another program than the respective daemon. Do the following:

Version 1

Open a terminal window and su to the root user.

Edit the ALL:ALL line in /etc/hosts.deny to reflect the following: ALL: ALL: twist (echo "This service is not accessible from %a!")

Save and close the file.

Have your partner try to ftp to the system to verify that the message is sent.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 4-3

SUSE LINUX Security/Self-Study Workbook

Part III: Conﬁgure Logging

In this part of the exercise you conﬁgure logging, using the spawn feature of TCP wrapper. Do the following: 1.

Open a terminal window and su to the root user.

At the bottom of the file /etc/hosts.allow, change the “vsftpd” line to reflect the following: vsftpd,vsftpd : ALL EXCEPT IP-of-partner : spawn (echo "%a accessed %s" >> /tmp/service-access.log)

Save and close the file.

Have someone in the class besides your partner attempt to ftp to the system to verify that the entry is logged.

Verify that all of the activity to the services under xinetd have been logged in /var/log/xinetd.log by entering cat /var/log/xinetd.log.

(End of Exercise)

Workbook 4-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Network Security

Exercise 4-2

Use stunnel to Secure POP3 with SSL The purpose of this exercise is to practice securing a service with stunnel. Do the following: 1.

Open a terminal window and sux - to root using a password of novell.

Install the packages stunnel and qpopper by entering yast -i stunnel qpopper and inserting the appropriate CD when requested.

Use a certificate and its corresponding private key created in the exercise “Create a CA and Certificates on the Command Line” on 3-2 or in the exercise “(optional) Create a Root CA and Certificates Using YaST” on 3-5. You can either ❑

Use the certificate and private key created for your computer with openssl on the command line. In this case you need to create a copy of the private key that is not secured with a passphrase: openssl rsa < private/daxx_prv_key.pem \ > private/daxx_prv_key-unenc.pem Copy the certificate and the private key into one file: cat certs/daxx_cert.pem \ private/daxx_prv_key-unenc.pem \ >> /etc/stunnel/stunnel.pem Also copy the RootCA certificate to the directory /tmp. or

❑

Version 1

Use the certiﬁcate and private key created for your computer in the YaST CA Management module.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 4-5

SUSE LINUX Security/Self-Study Workbook

Export it to /etc/stunnel/stunnel.pem, selecting Certiﬁcate and Key Unencrypted in PEM Format in the Export dialog. Also export the RootCA certiﬁcate and save it in the directory /tmp. 4.

Limit access to the file /etc/stunnel/stunnel.pem by entering chmod 600 /etc/stunnel/stunnel.pem

Using vi, modify the configuration of stunnel in the file /etc/stunnel/stunnel.conf to reflect the following entries (some lines need a comment symbol #, some need the comment symbol deleted, and other lines need to be added by you—you have to look through the file to find the lines): #chroot = /var/lib/stunnel/ #setuid = stunnel #setgid = nogroup ... [pop3s] accept = 995 # connect = 110 exec = /usr/sbin/popper execargs = popper -s

Start stunnel by entering rcstunnel start. If there are any error messages, correct your conﬁguration accordingly.

Test your POP server by configuring a mail program of your choice to pick up mail of a local account (such as geeko) from localhost port 995. Make sure that you use the full hostname (daxx.digitalairlines.com) in the pop server ﬁeld, not just localhost.

Workbook 4-6

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Network Security

When finished with the configuration, actually try to pick up mail. You should see an error message that the server certiﬁcate failed the authenticity test. Do not accept the certiﬁcate at this point but select cancel (or whatever your mail program offers at this point). 8.

Import the CA certificate into your application. How this is done depends on your mail program. If you use KMail, you do that by starting konqueror and selecting Settings > Configure Konqueror > Crypto > SSL signers Tab > Import Change directory to /tmp and choose the CA certificate suitable for the stunnel certificate, either the OpenSSL or the YaST one.

Connect again to your mailbox with your mail program. You should not get the same error message again, since the certificate can now be validated by the mail program. You might get a message that the certificate does not belong to the server if the common name in the certificate differs from the domain name you contacted. In this case you might want to create a new certificate with the correct name.

(End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 4-7

SUSE LINUX Security/Self-Study Workbook

Workbook 4-8

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

SECTION 6

Packet Filters

In this section of the workbook, you learn how to do the following:

Version 1

■

“Get Familiar with Basic iptables Syntax” on 6-2

■

“Modify the Script to Set and Delete iptables Rules” on 6-15

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-1

SUSE LINUX Security/Self-Study Workbook

Exercise 6-1 In this exercise the computer that is used for testing should not have any iptables rules set. Otherwise the results also depend on the settings of this testing computer.

Get Familiar with Basic iptables Syntax The purpose of this exercise is to familiarize you with the iptables syntax and to show the effect of some iptables rules. In the first part, you use iptables on the command line only. Any rules set with iptables are lost with the next reboot. As rules defined on the command line are lost with the next reboot, the rules that make up the packet filter should be included in a shell script that is executed during system startup. Part II and the subsequent parts of this exercise deal with writing such a script to set and delete rules. There is no single right way to write such a script. Keep it as simple as possible so you don’t inadvertently open security holes. Use comments within the script liberally so you can still understand it when you have to modify it later. The exercise will not cover every single step but will outline what needs to be done to create a working script. Work with a partner in this exercise. You will have to coordinate with each other regarding setting and testing of rules. If you both set rules at the same time and then test them, the test might not produce the expected result, as the rules on the testing computer might interfere with the test. This exercise consists of:

Workbook 6-2

■

Part I: Set iptables Rules on the Command Line

■

Part II: Prepare a Structure for a Script

■

Part III: Define General Variables

■

Part IV: Create a Section to Delete Any Existing Rules

■

Part V: Create a Section to Display the Current Rule Set

■

Part VI: Add Static Rules

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

Part I: Set iptables Rules on the Command Line

The purpose of the ďŹ rst part of this exercise is to show you how iptables is used and the effect the commands have. Do the following: 1.

Open a terminal window and su - to root with a password of novell.

Check if there are any rules set already by entering iptables -v -L -n

If there are any rules in the INPUT, OUTPUT, or FORWARD chain, delete them by entering iptables -F

Set a rule blocking all ICMP packets to your computer coming from other computers by entering iptables -A INPUT -i eth0 -p icmp -j DROP (This is only an example. Blocking all ICMP messages is generally not advisable.)

Have your partner test this rule by sending an echo request (ping) to your computer.

Try to send an echo request to your partnerâ&#x20AC;&#x2122;s computer.

Delete the rule you set in Step 4 by entering iptables -D INPUT -i eth0 -p icmp -j DROP

Set a rule blocking all ICMP packets from your computer to other computers by entering iptables -A OUTPUT -o eth0 -p icmp -j DROP

Version 1

Have your partner test this rule by sending an echo request (ping) to your computer.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-3

SUSE LINUX Security/Self-Study Workbook

10. Try to send an echo request to your partner’s computer. (You will

notice a slightly different output of the ping command compared to Step 6 above.) 11. Delete the rule you set in Step 8 by entering

iptables -D OUTPUT -o eth0 -p icmp -j DROP 12. Set a rule blocking all ICMP packets in the FORWARD chain by

entering iptables -A FORWARD -p icmp -j DROP If there is only one NIC in your computer you cannot test this rule. However you can test if this rule affects trafﬁc to and from your computer (which it shouldn’t) by asking your partner to ping your computer and by sending an echo request to your partner’s computer. 13. Flush your rules by entering

iptables -F 14. Find out what happens when you use ssh to connect to your

partner’s ssh port by entering ssh geeko@partner_IP When prompted, enter the password N0v3ll. After you have successfully logged in, logout again by pressing Ctrl-D. 15. Create an iptables rule that drops TCP packets addressed to port

22 (SSH) by entering iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP 16. After your partner sets the rule on his or her computer, try again

to login to your partner’s computer and notice the difference from the results in Step 14. 17. Change the rule from Step 15 to use REJECT as its target instead

of DROP.

Workbook 6-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

You can either delete the rule and create a new one, or replace the rule by entering iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT 18. View the current ruleset by entering

iptables -v -L -n 19. After your partner sets the rule on his or her computer, try again

to ssh to your partner’s computer and find out if there is any difference to before. If yes, why is that? 20. Change the rule from Step 17 once more to reject with a TCP

reset instead of the ICMP message port unreachable by entering (on one line) iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT --reject-with tcp-reset 21. View the current ruleset by entering

iptables -v -L -n 22. After your partner sets the rule on his or her computer, again

connect to your partner’s computer using ssh and find out if there is any difference to before. 23. Flush your ruleset by entering

iptables -F

Part II: Prepare a Structure for a Script This exercise will take quite some time. If you do not have some experience with shell scripts, you will have difficulty doing this exercise.

Version 1

Because any packet ﬁlter rules set with iptables are lost with the next reboot, it is common practice to write a script to set them. In addition to setting the rules (start), such a script should allow to delete the rules (stop) and to show the currently active rules (status). It should also allow integration into the runlevel concept.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-5

SUSE LINUX Security/Self-Study Workbook

The ďŹ le /etc/init.d/skeleton gives an outline of how such a script could be structured. The purpose of this and the following parts of this exercise is to show you the basic elements of such a script to set up and delete iptables rules. Do the following: 1.

Open a terminal window and su - to root with a password of novell.

Change directory to /etc/init.d/.

Copy the file skeleton to fw-script.

Change the permissions so that the script can be executed by entering chmod 744 /etc/init.d/fw-script

Workbook 6-6

Open the file fw-script in a text editor.

Keep the sections on init info and the case sections start, stop, status, and *. Delete the comments and sections you do not need.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

Your result could look similar to the following: #! /bin/sh # # /etc/init.d/fw-script and its symbolic link # /(usr/)sbin/rcfw-script # ### BEGIN INIT INFO # Provides: packetfilter # Required-Start: $syslog $network # Required-Stop: $syslog $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Sets packet filter rules # Description: Sets packet filter rules ### END INIT INFO # . /etc/rc.status # Reset status of this service rc_reset case "$1" in start|restart|reload) echo -n "Starting Firewall " # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down Firewall " # Remember status and be verbose rc_status -v ;; status) echo "Current Firewall-rules " rc_status -v ;; *) echo "Usage: $0 {start|stop|status|restart|reload}" exit 1 ;; esac rc_exit

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-7

SUSE LINUX Security/Self-Study Workbook

(A template similar to the above can be found on the student CD in the directory for this section.)

Part III: Deﬁne General Variables

The use of variables makes it easier to maintain the script. Do the following: 1.

Within the start section, define the following variables: EXT_IF=eth0 EXT_IP=<your_IP> INT_IF= INT_IP=

Because the computers in the class room might have only one NIC, this exercise is limited to deﬁning rules for the INPUT and OUTPUT chains. The variables INT_IF and INT_IP can be used for a second NIC and rules for the FORWARD chain. You can also deﬁne variables for the IP address of the nameserver and other computers. Using variables facilitates later changes, as you only have to change the variable at one point, not the IP within various rules. 2.

Workbook 6-8

Also in the start section, set kernel parameters like

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

# echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 >\ /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Protect from ICMP redirect packets: for f in /proc/sys/net/ipv4/conf/*/accept_redirects do echo 0 > $f done # Block source routed packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $f done ... (If you donâ&#x20AC;&#x2122;t want to type this, have a look at the ďŹ les on the student CD.)

To see a brief explanation of these and other parameters, start the YaST Powertweak module and select the Networking options. The above values can also be set within the Powertweak module instead of this script. 3.

Version 1

Add comments to your definition of variables and kernel parameter settings.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-9

SUSE LINUX Security/Self-Study Workbook

Part IV: Create a Section to Delete Any Existing Rules

This makes sure that you can delete any rules you set. Go to the stop section within the case statement and add iptables commands to delete any existing rules: 1.

Add an informative message to be displayed when the script is called with the stop parameter.

Flush the chains by typing iptables -F iptables -t nat -F

Delete any user-defined chains by typing iptables -X

Set the policy of the built in chains to accept by typing iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT

You can also reset the kernel parameters to previous settings in the stop section as needed.

Part V: Create a Section to Display the Current Rule Set

Viewing the current rule set helps in debugging. Do the following: 1.

Go to the status section within the case statement to add iptables commands to display the currently active rules.

Add the following lines to the status section iptables -v -n -L iptables -v -n -t nat -L POSTROUTING iptables -v -n -t nat -L PREROUTING

Workbook 6-10

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

Part VI: Add Static Rules

Now the main part: The rules themselves. To add static rules, do the following: 1.

Go to the start section within the case statement to add your rules with iptables commands.

Set the default policy to DROP by typing iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

Flush existing rules and delete existing user defined chains by typing iptables -F iptables -t nat -F iptables -X If you do not ďŹ&#x201A;ush the rules in the beginning, each call of the script with the parameter start adds the rules again to the chain.

Allow all traffic from and to the loopback interface by typing iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT

Define rules to allow others to access the ssh server on your computer by typing iptables -A INPUT -p TCP -i $EXT_IF --dport 22 \ -j ACCEPT iptables -A OUTPUT -p TCP -o $EXT_IF --sport 22 \ -j ACCEPT

Version 1

(Optional) Limit the above INPUT rule to a destination IP address as well as certain source IP addresses and source ports.

Add a rule that logs packets that are dropped in the INPUT chain by typing

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-11

SUSE LINUX Security/Self-Study Workbook

iptables -A INPUT -j LOG --log-preﬁx “INPUT-DROP “ 8.

Add a rule that rejects packets instead of having them dropped by the default policy of the chain by typing iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

Start your script by entering in a terminal window (as root) /etc/init.d/fw-script start If there are any error messages, correct any mistakes in the syntax within your script.

10. Have your partner try to access your ssh daemon.

If he cannot do so, it could be because there is something wrong with your rules or because rules on his or her computer do not allow him or her to contact another server (or both). Find out what the problem is by looking at /var/log/messages with less or tail -f on both computers. It is actually a good idea to have a separate terminal window with tail -f /var/log/messages constantly open while testing the rules. If it turns out his rules forbid him to contact your computer, have him call his script with the parameter stop and try again. Correct any errors in your own script. 11. Test if your script actually blocks traffic to other services.

Start the Apache web server with rcapache2 start and have your partner try to access your computer with a browser. You should see log entries for dropped packets in /var/log/messages.

Workbook 6-12

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

! --syn prevents other computers from establishing a TCP connection from port 22. The first packet of a TCP handshake originating at port 22 is discarded by this rule.

12. If your partner asked you if you could reach his or her ssh

daemon and you tried with the current rules active, you would notice that your current rules do not allow you to do that. Deﬁne rules that allow you to contact the ssh daemon on other computers by entering iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \ -j ACCEPT iptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 \ -j ACCEPT Why should you add ! --syn?

13. Add another ruleset like the one in Step 12 allowing you to

contact web servers (port 80) on other computers. 14. Add a rule that logs packets that are dropped in the OUTPUT

chain by entering iptables -A OUTPUT -j LOG --log-preﬁx \ “OUTPUT-DROP “ 15. Activate your rules by entering /etc/init.d/fw-script start (your

current rules will be replaced by the new ones). 16. Try to contact the sshd on your partner’s computer. 17. Try to contact a web server. 18. Try to ping your partner’s computer and watch the log file. 19. Have him turn off his rules and then have him ping you.

Watch your log ﬁle. 20. Add rules allowing incoming and outgoing ICMP messages.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-13

SUSE LINUX Security/Self-Study Workbook

21. Restart your script.

Ping your partnerâ&#x20AC;&#x2122;s computer and have him ping yours. 22. Add comments to describe what your rules are supposed to do. (End of Exercise)

Workbook 6-14

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

Exercise 6-2

Modify the Script to Set and Delete iptables Rules The script developed in the last exercise uses static filtering rules only. In this exercise you will modify the script to include dynamic filtering rules and you will create and use a user-defined chain. ■

Part I: Use Stateful Packet Filtering

■

Part II: User-Defined Chains

■

Part III: (optional) View the SuSEFirewall2 Configuration and Script

Part I: Use Stateful Packet Filtering

The state module helps to simplify the script and thus make it less error prone. And it adds the feature of statful inspection to the computer. To replace the rules defined so far for TCP connections, do the following: 1.

Put a comment sign in front of those six rules (Two each for ssh in and out, and www).

Define rules for the second and all subsequent packets of a connection using the connection tracking module: # INPUT-Chain iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # OUTPUT-Chain iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Version 1

Define a rule allowing the first packet of a connection to the ssh daemon on your computer by entering

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-15

SUSE LINUX Security/Self-Study Workbook

iptables -A INPUT -i $EXT_IF -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT 4.

Set the new rules by entering /etc/init.d/fw-script start Have your partner access the ssh daemon on your computer. Watch the log ﬁle.

View the entry tracking the connections in the /proc file system by entering cat /proc/net/ip_conntrack

Add rules that allow you to access the sshd and web servers on other computers. Test this and the access to the web server running on your computer to see if it is still blocked as intended.

Add useful comments to your script.

Part II: User-Deﬁned Chains

User-deﬁned chains can help reduce the number of rules packets have to run through before a hit or make the script easier to understand (or both). The user-defined chain has to exist before any rule uses the chain as a target. Therefore, these rules should appear in the script above the rules for the built in chains. In this part, you will set up a user-defined chain for UDP packets. You may have noticed that the script so far does not allow any name resolution.

Workbook 6-16

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

Do the following: 1.

Locate an appropriate point in the script to insert the lines and create the chain udp-rules by typing iptables -N udp-rules

Create a rule for a packet querying a nameserver by entering (on one line) iptables -A udp-rules -o $EXT_IF -p udp --dport 53 -m state --state NEW -j ACCEPT (There is no need for a rule for the answer packets because they are covered by the rule from Part I covering second and subsequent packets.)

Under certain circumstances there is a fallback to TCP for name resolution. Therefore, a similar rule is needed for TCP port 53. 3.

Packets that do not match any of the rules in the user-defined chain continue down the built-in chain they came from. This is not what is intended here; therefore, insert a rule to log packets and another to reject them by entering iptables -A udp-rules -j LOG --log-preﬁx “REJECT-udp “ iptables -A udp-rules -j REJECT Because this last rule matches all packets, none return to the previous chain.

The rule to end all UDP packets from the output chain to the user-defined chain has to be inserted after the general rules for second and subsequent packets, as otherwise the answers to the UDP packets your computer sends out will be discarded. Add this rule by typing at the appropriate point in the script iptables -A OUTPUT -p upd -j udp-rules

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-17

SUSE LINUX Security/Self-Study Workbook

If you want to allow incoming UDP traffic, a similar rule is needed for the INPUT chain. Within the user-defined chain you can distinguish incoming and outgoing traffic by the -i and -o options. 5.

Set the rules by entering /etc/init.d/fw-script start Find out if name resolution is now functional.

(optional) Create another user-defined chain that takes care of the logging. Instead of logging packets in built-in or other user-deﬁned chains, send those packets to a separate user-deﬁned chain to be logged and then dropped or rejected.

(optional). Watch the log file for a while. You will see all kinds of entries for packets being rejected. Write rules allowing IP trafﬁc that is needed for proper computer operation.

(optional). Have your partner test your filter rules with nmap from his computer.

Part III: (optional) View the SuSEFirewall2 Conﬁguration and Script

The purpose of this exercise is to show you a sophisticated setup and its complexity. Do the following:

Workbook 6-18

View /etc/sysconfig/SuSEfirewall2 by using less.

View the script /sbin/SuSEfirewall2 by using less.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Packet Filters

View the scripts /etc/init.d/SuSEfirewall2_* by using less.

(End of Exercise)

Exercise Answers Exercise 6-1 Get Familiar with Basic iptables Syntax, “Part VI: Add Static Rules” on 6-11: 12. Why should you add ! --syn? The rule iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \ -j ACCEPT allows all TCP packets from port 22 exept the ﬁrst packet of a TCP connection which has only the syn bit set. ! --syn prevents TCP connections starting from port 22 of another computer. In this way it is possible for you to contact other SSH servers and to receive their answers, but it is not possible to initiate a connection from port 22 of another computer to your computer, as the ﬁrst packet of the TCP handshake is discarded. (End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 6-19

SUSE LINUX Security/Self-Study Workbook

Workbook 6-20

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

SECTION 7

Application-level Gateway

In this section of the workbook, you learn how to do the following:

Version 1

■

“Install and Configure Squid” on 7-2

■

“Configure SSL in Squid” on 7-7

■

“Configure Proxy Authentication” on 7-10

■

“Configure Content Filtering” on 7-14

■

“Analyze Squid Log File” on 7-17

■

“Use Dante” on 7-19

■

“Configure rinetd” on 7-25

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-1

SUSE LINUX Security/Self-Study Workbook

Exercise 7-1 Use Mozilla in all Squid exercises. Konqueror does not handle proxy authentication very well, which might lead to confusing error messages.

Install and Configure Squid In this exercise you install and configure Squid and configure a web browser to test your Squid setup. For some parts of the exercise you will work with a partner. The exercise consists of the following parts: ■

Part I: Install Squid and Mozilla

■

Part II: Configure Squid

■

Part III: Configure Mozilla to Use the Proxy

■

Part IV: Monitor Access to Squid

■

Part V: Test Your Partner’s Proxy

Part I: Install Squid and Mozilla

To install Squid, do the following: 1.

Start YaST by selecting Start > System > YaST.

When prompted for the root password, enter novell; then select OK.

Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog.

Workbook 7-2

In Package Manager, make sure that the Filter menu in the upper left corner is set to Search.

Enter squid in the Search field; then select Search.

On the right side, select the check box before the squid entry in the Results list.

In the Search field, enter mozilla; then select Search.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

On the right side, select the check box before the mozilla entry in the Results list.

In the lower right corner of Package Manager, select Accept.

10. When YaST displays a dialog about package dependencies,

select OK. 11. After all packages have been installed, close YaST by selecting

Close.

Part II: ConďŹ gure Squid

To conďŹ gure Squid, do the following: 1.

Open a terminal and su to the root user.

Open the file /etc/squid/squid.conf in a text editor.

Find the configuration tag http_port. Remove the # before the tag. Set the value 8080 for the tag. The line should look like the following:

http_port 8080

Look for the section where the acl tags are defined. Insert a new line after acl all src 0.0.0.0/0.0.0.0. The line should look like the following:

acl local_net src 10.0.0.0/24

Look for the section where the http_access tags are defined.

After http_access allow localhost, insert a new line and enter http_access allow local_net

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-3

SUSE LINUX Security/Self-Study Workbook

Save the file and close the text editor.

Start Squid by entering rcsquid start

Monitor the output of the start script. The output should end with

Starting WWW-proxy squid

done

Part III: ConďŹ gure Mozilla to Use the Proxy

To conďŹ gure Mozilla to use the proxy, do the following: 1.

Start Mozilla by selecting Start > Internet > Web Browser > Mozilla

In Mozilla, select Edit > Preferences.

On the left side of the Configuration dialog select Advanced > Proxies.

Select Manual Proxy Configuration.

In the HTTP Proxy and the SSL Proxy line, enter the IP_address_of_your_system and the port number 8080.

Close the dialog by selecting OK.

Close the Mozilla preferences dialog by selecting OK.

In the address bar, enter http://www.novell.com/. The web site should be loaded.

Workbook 7-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Part IV: Monitor Access to Squid

To monitor access to Squid, do the following: 1.

Make sure Mozilla is configured to use the proxy server as described in Part III.

Open a terminal and su - to the root user with the password of novell.

To view the content of the Squid log file, enter tail -f /var/log/squid/access.log

Press Enter a few times to insert some empty lines.

Open Mozilla by selecting Start > Internet > Web Browser > Mozilla.

In the address bar, enter http://www.novell.com/. Wait until the site is loaded.

Switch to the terminal window and look at the new entries that have been added to the log file. Every request made to the proxy server is logged in the log ďŹ le.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-5

SUSE LINUX Security/Self-Study Workbook

Part V: Test Your Partner’s Proxy

Use the instructions in Part III to conﬁgure Mozilla so that it uses your partner’s proxy server. To test your partner’s proxy, do the following: 1.

Wait until you partner is looking at the Squid log file as described in Part IV of this exercise.

In the address bar of Mozilla, enter http://www.novell.com/.

Ask your partner if your access shows up in the log files.

Let your partner test your proxy.

(End of Exercise)

Workbook 7-6

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Exercise 7-2

Conﬁgure SSL in Squid This exercise assumes that Squid has been conﬁgured as described in the previous exercise and that Mozilla is using the proxy server that is installed on your system for all protocols. The exercise consists of the following parts: ■

Part I: Test the Current SSL Configuration

■

Part II: Disable SSL in Your Squid Configuration

■

Part III: Test if SSL Is Disabled

■

Part IV: Re-Enable SSL in Squid

Part I: Test the Current SSL Conﬁguration

To test the current SSL conﬁguration, do the following: 1.

Select Start > Internet > Web Browser > Mozilla.

In the address bar, enter http://www.novell.com.

On the Novell web site, select My Acount in the top navigation. You are directed to the Novell Login screen.

Version 1

Make sure that the site is loaded doly and that the address in the address bar starts with https://

When the site loads correctly, this is a sign that SSL can be used over your Squid proxy at the moment.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-7

SUSE LINUX Security/Self-Study Workbook

Part II: Disable SSL in Your Squid Conﬁguration

Do the following: 1.

Open a terminal window and su to root user.

Open the file /etc/squid/squid.conf in a text editor.

Change the line http_access deny CONNECT !SSL_ports to http_access deny CONNECT

Save the file and close the text editor. The connect method is now denied in general and not only to the hosts that are not deﬁned in SSL_ports.

Reload Squid by entering rcsquid reload.

Part III: Test if SSL Is Disabled

To test if SSL is disabled, do the following: 1.

Open a Mozilla window by selecting Start > Internet > Web Browser > Mozilla.

In the address bar, enter http://www.novell.com.

When the site is loaded, select the My Account link in the top navigation bar. The access to the site should be denied now, since SSL is disabled in the proxy conﬁguration.

Workbook 7-8

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Part IV: Re-Enable SSL in Squid

To re-enable SSL in Squid, do the following: 1.

Open a terminal window and su to the root user.

Open the file /etc/squid/squid.conf with a text editor.

Change the line http_access deny CONNECT to http_access deny CONNECT !SSL_ports

Save the file and close the text editor.

Reload Squid by entering rcsquid reload.

Check if SSL works again by repeating all steps in Part III.

(End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-9

SUSE LINUX Security/Self-Study Workbook

Exercise 7-3

Configure Proxy Authentication In this exercise you can practice how to configure proxy authentication in Squid. To be able to work through this exercise, you need to have Squid and Mozilla configured as described in the previous exercises of this section. The exercise consists of the following parts: ■

Part I: Add a User to the Proxy System

■

Part II: Configure Basic Authentication

■

Part III: Test User Authentication

■

Part IV: Configure digest Authentication

Part I: Add a User to the Proxy System

Do the following:

Workbook 7-10

Select Start > System > YaST.

On the left side, select Security and Users.

On the right side, select Edit and Create Users.

Make sure that Users is selected.

Select Add.

Enter the following information: ❑

Full User Name: Peter Bear

❑

User Login: pbear

❑

Password: Novell

❑

Verify Password: Novell

Select Create.

When YaST notifies you about a weak password, confirm the dialog by selecting Yes.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Select Finish.

10. Select Close.

Part II: ConďŹ gure Basic Authentication

Do the following: 1.

Open a terminal window and su to the root user.

Open the file /etc/squid/squid.conf with a text editor.

Look for the auth_param section.

Change the file so that only the following auth_param lines are active: auth_param basic program /usr/sbin/pam_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours

Look for the acl section in the configuration file.

Add the following acl line after the acl called all: acl allowed_user proxy_auth pbear

Look for the http_access section in the configuration file.

Find the following two lines http_access allow localhost http_access allow local_net and add the new proxy_auth acl to those lines as in the following example: http_access allow localhost allowed_user http_access allow local_net allowed_user This way the IP address and the user name must match in both lines to grant access to the proxy.

Version 1

Save the file and close the text editor.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-11

SUSE LINUX Security/Self-Study Workbook

10. Restart Squid by entering rcsquid restart.

Part III: Test User Authentication

Do the following: 1.

Select Start > Internet > Web Browser > Mozilla.

Make sure your web browser is configured to use the proxy installed on your system.

In the address bar, enter http://www.novell.com. When the authentication works, a password dialog should pop up.

Enter the following information: ❑

User name: pbear

❑

Password: Novell

Confirm the password dialog by selecting OK. The Novell web site should be loaded.

Part IV: Conﬁgure digest Authentication

Do the following: 1.

Open a terminal window and su to the root user.

Create a file with the name proxy_passwd in the directory /etc/squid/

Add the following line to the file pbear:SUSE

Save the file and close the text editor.

Change the owner of the file by entering chown squid /etc/squid/proxy_passwd

Workbook 7-12

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Adjust the permissions of the file by entering chmod 600 /etc/squid/proxy_passwd

Open the file /etc/squid/squid.conf with a text editor.

Change the files so that only the following auth_param lines are active auth_param digest program /usr/sbin/digest_pw_auth \ /etc/squid/proxy_passwd auth_param digest children 5 auth_param digest realm Squid proxy-caching web server auth_param digest nonce_garbage_interval 5 minutes auth_param digest nonce_max_duration 30 minutes auth_param digest nonce_max_count 50

Save the file and close the text editor.

10. Restart Squid by entering rcsquid restart. 11. Close all Mozilla browser windows. 12. Select Start > Internet > Web Browser > Mozilla to open a

new Mozilla window. 13. In the address bar, enter http://www.novell.com.

When the authentication works, a password dialog should open up. 14. Enter the following information: â?&#x2018;

User name: pbear

â?&#x2018;

Password: SUSE

15. Confirm the password dialog by selecting OK.

The Novell web site should be loaded. (End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-13

SUSE LINUX Security/Self-Study Workbook

Exercise 7-4

Configure Content Filtering In this exercise you configure content filtering with Squid. The exercise assumes that you have already configured Squid on your system according to the exercises 7-1 to 7-3. The exercise consists of the following parts: ■

Part I: Filter Content with url_regex

■

Part II: Install squidGuard

■

Part III: Configure squidGuard

Part I: Filter Content with url_regex

Do the following: 1.

Open a terminal window and su to the root user.

Open the file /etc/squid/squid.conf with a text editor.

Scroll down to the acl section.

After the acl named all, insert the following line acl bad_site url_regex -i example.com

Look for the line http_access allow localhost allowed_user and add the following line before that line http_access deny bad_site

Save the file and close the text editor.

Reload Squid by entering rcsquid reload.

Start Mozilla by selecting Start > Internet > Web Browser > Mozilla.

Make sure Mozilla uses your Squid installation as proxy server: a.

Workbook 7-14

In the address bar, enter http://www.example.com/.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

When the ﬁlter has been conﬁgured correctly, the access to the site should be denied.

Part II: Install squidGuard

To install squidGuard, do the following: 1.

Start YaST by selecting Start > System > YaST.

When prompted for the root password, enter novell; then select OK.

Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog.

In Package Manager, make sure that the Filter menu in the upper left corner is set to Search.

Enter squidguard in the Search field; then select Search.

On the right side, select the check box before the squidGuard entry in the Results list.

In the lower right corner of Package Manager select Accept.

When YaST displays a dialog about package dependencies, confirm this dialog.

After all packages have been installed, close YaST by selecting Close.

Part III: Conﬁgure squidGuard

To conﬁgure squidGuard, do the following:

Version 1

Open a terminal and su to the root user.

Open the file /etc/squid/squid.conf in a text editor.

Look for the line TAG: redirect_program.

At the end of the tag description, insert the following line

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-15

SUSE LINUX Security/Self-Study Workbook

redirect_program /usr/sbin/squidGuard 5.

Save the file and close the text editor.

Rename the squidGuard default configuration by entering mv /etc/squidguard.conf /etc/squidguard.conf.original

Create a new file /etc/squidguard.conf with the following content logdir /var/log/squidGuard dbhome /var/lib/squidGuard/db dest blacklist { domainlist blacklist/domains urllist blacklist/urls } acl { default { pass !blacklist all redirect 302:http://www.novell.com/index.html } }

Add the domain hotmail.com to the squidGuard domain blacklist by entering (on one line) echo "hotmail.com" >> /var/lib/squidGuard/db/blacklist/domains

Enter rcsquid reload.

10. Select Start > Internet > Web Browser > Mozilla. 11. Make sure Mozilla is configured to use your proxy server:

In the address bar, enter http://www.hotmail.com.

When squidGuard is conďŹ gured correctly, you should be redirected to http://www.novell.com.

(End of Exercise)

Workbook 7-16

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Exercise 7-5

Analyze Squid Log File In this exercise you learn how analyze the Squid log ﬁle. You must have completed the previous exercises so that your access.log contains some data. The exercise consists of the following parts: ■

Part I: Install calamaris

■

Part II: Run calamaris

Part I: Install calamaris

To install calamaris, do the following:

Version 1

Start YaST by selecting Start > System > YaST.

When prompted for the root password, enter novell; then select OK.

Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog.

In Package Manager, make sure that the Filter menu in the upper left corner is set to Search.

Enter calamaris in the Search field; then select Search.

On the right side, select the check box before the calamaris entry in the Results list.

In the lower right corner of the package manager select Accept.

When YaST displays a dialog about package dependencies, confirm this dialog.

After all packages have been installed, close YaST by selecting Close.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-17

SUSE LINUX Security/Self-Study Workbook

Part II: Run calamaris

To run calamaris, do the following: 1.

Open a terminal window and su to the root user.

Enter calamaris -d 10 /var/log/squid/access.log.

Scroll up in the terminal window and review the report.

(End of Exercise)

Workbook 7-18

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Exercise 7-6

Use Dante In this exercise you use Dante. The exercise consists of the following parts: ■

Part I: Install Dante

■

Part II: Configure the Dante Server

■

Part III: Configure Socksify and Test Your SOCKS Server

■

Part IV: Create a Test User

■

Part V: Configure and Test User Authentication

Part I: Install Dante

Do the following:

Version 1

Start YaST by selecting Start > System > YaST.

When prompted for the root password, enter novell; then select OK.

Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog.

In Package Manager, make sure that the Filter menu in the upper left corner is set to Search.

Enter dante in the Search field; then select Search.

On the right side, select the check box by dante and dante-server entry in the Results list.

Enter wget in the Search field; then select Search.

On the right side, make sure the check box by wget entry is selected in the Results list.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-19

SUSE LINUX Security/Self-Study Workbook

wget is not part of dante but you will use it in this exercise as a test application. 9.

In the lower right corner of Package Manager, select Accept.

10. When YaST displays a dialog about package dependencies,

confirm this dialog. 11. After all packages have been installed, close YaST by selecting

Close.

Part II: ConďŹ gure the Dante Server

Do the following: 1.

Open a terminal and su - to the root user with the password of novell.

Rename the default sockd configuration file by entering mv /etc/sockd.conf /etc/sockd.conf.original

Create a new configuration file /etc/sockd.conf with the following content: #Server ConďŹ guration logoutput: /var/log/sockd.log internal: your_ip_address port = 1080 external: your_ip_address method: none clientmethod: none user.privileged: root user.notprivileged: nobody #Client Rules

Workbook 7-20

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

client pass { from: 10.0.0.0/24 port 1-65535 to: 0.0.0.0/0 log: connect error } #Socks Rules pass { from: 0.0.0.0/0 to: 0.0.0.0/0 protocol: tcp udp } block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } 4.

Save the file and start sockd with the command rcsockd start.

Make sure that no error messages are displayed when sockd starts up. When the server starts successfully, only the following line should be displayed:

Starting sockd / dante server

done

If there are any error messages, go to the corresponding line in the configuration file and try to correct the error, then try to start sockd again.

Part III: ConďŹ gure Socksify and Test Your SOCKS Server

Do the following: 1.

Open a terminal window and su - to the root user with a password of novell.

Rename the default configuration file by entering mv /etc/socks.conf /etc/socks.conf.original

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-21

SUSE LINUX Security/Self-Study Workbook

Create a new configuration file /etc/socks.conf with the following content: route { from: 0.0.0.0/0 to: 0.0.0.0/0 via: your_ip_address\ port = 1080 protocol: tcp udp method: none }

Save the file.

Open the sockd log file by entering tail -f /var/log/sockd.log

Enter some empty lines by pressing Enter a few times.

Open another terminal window, but do not su to the root user.

Enter socksify wget www.novell.com The wget command should display that it was able to download the index.html ﬁle of www.novell.com.

Change to the other terminal window and check if a new line has been added to the log file. If sockd and socksify were conﬁgured correctly, the wget command should have created new lines in the logﬁle.

Part IV: Create a Test User

If you have already created the test user pbear in the exercise Conﬁgure Proxy Authentication, you can skip this part. To create a test user, do the following:

Workbook 7-22

Select Start > System > YaST.

On the left side, select Security and Users.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

On the right side, select Edit and Create Users.

Make sure that Users is selected.

Select Add.

Enter the following information: ❑

Full User Name: Peter Bear

❑

User Login: pbear

❑

Password: novell

❑

Verify Password: novell

Select Create.

When YaST notifies you about a weak password, confirm the dialog by selecting Yes.

Select Finish.

10. Select Close.

Part V: Conﬁgure and Test User Authentication

Do the following: 1.

Open a terminal window and su - to the root user with a password of novell.

Open the file /etc/sockd.conf with a text editor.

In the general server section, change the line method: none to method: pam

In the SOCKS rule that starts with pass, insert the following two lines at the end of the rule: method: pam user: pbear

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-23

SUSE LINUX Security/Self-Study Workbook

Save the file and close the text editor.

Restart sockd by entering rcsockd restart.

Open the file /etc/socks.conf in a text editor.

Change the method value in the rule to username.

The line should now look as follows: method: username

10. Save the file and close the text editor. 11. To set the SOCKS user name, enter

export SOCKS_USERNAME=pbear 12. Enter

socksify wget www.novell.com If everything was conďŹ gured correctly, you should be prompted for the password of pbear. 13. Enter novell.

wget should now download and save the ďŹ le index.html. (End of Exercise)

Workbook 7-24

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

Exercise 7-7

Conﬁgure rinetd In this exercise you learn how to conﬁgure rinetd. For this exercise, you work with a partner.

Unfortunately the logging of rinetd is not working correctly on SLES 9. All other functions of rinetd work alright.

The exercise consists of the following parts: ■

Part I: Install Apache on System I

■

Part II: Install and Configure rinetd on System II

■

Part III: Test rinetd

Part I: Install Apache on System I

To install Apache on System I, do the following:

Version 1

Start YaST by selecting Start > System > YaST.

When prompted for the root password, enter novell; then select OK.

Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog.

In Package Manager, make sure that the Filter menu in the upper left corner is set to Search.

Type apache in the Search field; then select Search.

On the right side, select the check box by apache2, apache2-prefork, and apache2-example-pages in the Results list.

In the lower right corner of Package Manager, select Accept.

When YaST displays a dialog about package dependencies, confirm this dialog.

After all packages have been installed, close YaST by selecting Close.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-25

SUSE LINUX Security/Self-Study Workbook

10. Open a terminal window and su - to the root user with a password

of novell. 11. Enter rcapache start to start the Apache web server. 12. Close the terminal window. 13. Select Start > Internet > Web Browser. 14. In the address bar, enter http://localhost.

The Apache test page should be displayed.

Part II: Install and ConďŹ gure rinetd on System II

To install and conďŹ gure rinetd on System II, do the following: 1.

Start YaST by selecting Start > System > YaST.

When prompted for the root password, enter novell; then select OK.

Start Package Manager by selecting Install and Remove Software on the right side of the YaST dialog.

In Package Manager, make sure that the Filter menu in the upper left corner is set to Search.

Type rinetd in the search field; then select Search.

On the right side, select the check box by rinetd in the Results list.

In the lower right corner of Package Manager, select Accept.

When YaST displays a dialog about package dependencies, confirm this dialog.

After all packages have been installed, close YaST by selecting Close.

10. Create a file /etc/rinetd.conf with the following content:

Workbook 7-26

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Application-level Gateway

system_II_ip_address 80 system_I_ip_address 80 allow 10.0.0.* logďŹ le /var/log/rinetd.log logcommon 11. Save the file and close the text editor. 12. Start rinetd by entering rcrinetd start.

Part III: Test rinetd

Perform this part of the exercise on both systems: yours and your partnerâ&#x20AC;&#x2122;s. To test rinetd, do the following: 1.

Select Start > Internet > Web Browser

In the address bar, enter http://ip_of_system_II. Although the web browser is not installed on System II, the Apache test page should be loaded because rinetd redirects the request to System I.

(End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 7-27

SUSE LINUX Security/Self-Study Workbook

Workbook 7-28

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Virtual Private Networks

SECTION 8

Virtual Private Networks

In this section of the workbook, you learn how to do the following:

Version 1

■

“Establish a VPN Connection” on 8-2

■

“(optional) Create a VPN Configuration Using YaST” on 8-6

■

“(optional) Filter IPSec Traffic” on 8-8

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 8-1

SUSE LINUX Security/Self-Study Workbook

Exercise 8-1

Establish a VPN Connection The purpose of this exercise is to familiarize you with the steps necessary to set up a VPN connection. Because the class room computers might have only one NIC and therefore no network behind the gateway, you will set up an end-to-end connection with another student. To establish a VPN connection, do the following: 1.

Open a terminal window and sux - to root with a password of novell.

Install the freeswan packages by entering yast -i freeswan.

Create two certificates with corresponding private keys, one for your own and one for your partner’s computer, as described in Exercise 3-1 “Create a CA and Certificates on the Command Line” on 3-2. You can use any certificates you created in that exercise, providing they fit the hostnames of the computers you will use in this exercise. Discuss with your partner whether you will use his or your CA and certificates. The exercise assumes you use yours.

Using scp, copy the certificate for your partner’s computer, the corresponding private key, and the root CA certificate to the computer of your partner. He or she will have to copy them to their correct place as described in Step 5.

Workbook 8-2

Copy the certificate of your own computer to /etc/ipsec.d/certs/ and the private key to /etc/ipsec.d/private/.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Virtual Private Networks

If public and private key are in one file, copy the private key section to a separate file in /etc/ipsec.d/private/. Delete the private key from the certificate file and copy it to /etc/ipsec.d/certs/. Copy the RootCA certificate to /etc/ipsec.d/cacerts/. 6.

Edit /etc/ipsec.secrets to include a line with the passphrase for your private key: : rsa /etc/ipsec.d/private/myPrivateKey.pem passphrase

Edit /etc/ipsec.conf to fit your and your partner’s computers. The parameters leftsubnet and rightsubnet remain empty. Your and your partner’s IP address are added to left and right. As you are in the same network as your partner you can add left/rightnexthop=%direct. leftid/rightid are taken from the respective certiﬁcates. Use auto=start within the connection speciﬁcation.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 8-3

SUSE LINUX Security/Self-Study Workbook

Your connection speciﬁcation should look similar to the following (no changes are needed in the other sections of /etc/ipsec.conf): # Direct connection between two computers conn da10-da20 # Left security gateway, no subnet behind it, right in same subnet. leftsubnet= left=10.0.0.10 leftnexthop=%direct # ID ist the DN from the certificate, in one line leftid="C=US, O=Training, OU=IT,\ CN=da10.digitalairlines.com/emailAddress=root@da10.digitalairlines.com" leftcert=/etc/ipsec.d/certs/myCert.pem #leftrsasigkey=%cert # already part of defaults # Right security gateway, no subnet behind it, left in same subnet. rightnexthop=%direct right=10.0.0.20 rightsubnet= # ID ist the DN from the certificate, in one line rightid="C=US, O=Training, OU=IT,\ CN=da20.digitalairlines.com/emailAddress=root@da20.digitalairlines.com" #rightrsasigkey=%cert # already part of defaults # To start this connection at startup: auto=start

Open another terminal window and su - to root with a password of novell.

View the log file by entering tail -f /var/log/messages.

10. Start ipsec by entering rcipsec start. 11. View the log entries in the other terminal window.

If there are any errors messages, stop IPSec by entering rcipsec stop correct your configuration and try again. Note: On the computer that starts IPSec first there will be some error message about a refused connection. This does not indicate an error in the configuration.

Workbook 8-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Virtual Private Networks

12. Once IPSec starts correctly, you will see an entry in

/var/log/messages that the security association has been successfully established (IPsec SA established {ESP=>0x...). 13. Open yet another terminal window and sux - to root with a

password of novell. 14. Start tcpdump -i ethx -n (or use ethereal) to see the packets

hitting your interface. 15. Ping your partnerâ&#x20AC;&#x2122;s computer from the first terminal window.

You should see ICMP and ESP packets in the output of tcpdump. This is done by replacing right=ipaddress by right=%any and deleting the line with rightid on the computer that acts as the gateway (=left). No changes are needed on the road warrior side.

Version 1

16. (optional) Modify your configuration so that one of your

computers acts as a road warrior and the other as a gateway accepting connections from road warriors. (End of Exercise)

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 8-5

SUSE LINUX Security/Self-Study Workbook

Exercise 8-2

(optional) Create a VPN Configuration Using YaST The purpose of this exercise is to familiarize you with the YaST VPN module and let you compare the configuration you created in the Exercise 8-1 “Establish a VPN Connection” on 8-2 with the one created by YaST. You work with your partner as in the previous exercise. To create a VPN configuration using YaST, complete the following: 1.

Open a terminal window and sux - to root with a password of novell.

Change directory to /etc.

Save a copy of your IPSec configuration by entering cp ipsec.conf ipsec.conf.manual Open the ﬁle ipsec.conf in an editor and delete the connection description created in Exercise 8-1. Save the ﬁle and close the editor.

Start the YaST VPN module by entering yast2 ipsec &

Workbook 8-6

Decide whether you will use your CA or that of your partner. Either give the needed files to your partner or get them from him or her.

Import the CA certificate and the certificate for your server after selecting Enable VPN Services in the VPN Configuration dialog.

Define the connection for a VPN connection between your computers.

Open another terminal window and compare the resulting configuration in /etc/ipsec.conf with the one you created in Exercise 8-1 “Establish a VPN Connection” on 8-2, now saved as /etc/ipsec.conf.manual, using less.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Virtual Private Networks

View the log file /var/log/messages in a terminal window by entering tail -f /var/log/messages

10. Start IPSec by entering

rcipsec start View /var/log/messages for any errors. Correct your conďŹ guration as necessary. 11. Once the connection is established, start tcpdump in a terminal

window and ping your partnerâ&#x20AC;&#x2122;s computer. You should see ESP packets to and from your computer. (End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 8-7

SUSE LINUX Security/Self-Study Workbook

Exercise 8-3

(optional) Filter IPSec Traffic The purpose of this exercise is to write rules affecting the traffic within an IPSec tunnel. To filter IPSec traffic, do the following: 1.

Open a terminal window and sux - to root with a password of novell.

Make a copy of the script you created as part of Exercise 6-2 “Modify the Script to Set and Delete iptables Rules” on 6-15.

Modify this script to ❑

Mark incoming ESP packets.

❑

Accept incoming and outgoing ESP packets.

❑

Accept incoming and outgoing UDP packets to and from port 500

❑

Accept incoming SSH packets only from within the tunnel.

❑

Accept packets that belong to established connections.

Start the script and correct any errors.

Start the IPSec connection to your partner. Have him or her connect to your computer by using SSH. Ask another student to connect to your computer using SSH as well. (Only your partner should succeed.)

Modify your rules, this time using the policy module to achieve the same result.

Start and test the script again by repeating Step 4 and 5.

(End of Exercise)

Workbook 8-8

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Intrusion Detection and Incident Response

SECTION 9

Intrusion Detection and Incident Response

In this section of the workbook, you learn how to do the following:

Version 1

■

“Log to a Remote Host” on 9-2

■

“Use Argus” on 9-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 9-1

SUSE LINUX Security/Self-Study Workbook

Exercise 9-1

Log to a Remote Host The purpose of this exercise is to show you hot easy it is to create a log host. In this exercise you work with a partner. Decide who of you will send messages and who will receive them. (Do not both send and receive messages to each other, as this might create an endless loop.) To log to a remote host, complete the following: â&#x2013;

Part I: On the Computer Receiving Messages

â&#x2013;

Part II: On the Computer Sending Messages

Part I: On the Computer Receiving Messages

Do the following: 1.

Open a terminal window and su - to root with a password of novell.

Open the file /etc/sysconfig/syslog in vi and add -r to the variable SYSLOGD_PARAMS: SYSLOGD_PARAMS="-r"

Save the file and quit vi.

Restart the syslogd by entering rcsyslog restart

View /var/log/messages by entering tail -f /var/log/messages

Workbook 9-2

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

Intrusion Detection and Incident Response

Part II: On the Computer Sending Messages

Do the following: 1.

Open a terminal window and su - to root with a password of novell.

Open the file /etc/syslog.conf in vi and add the line *.*

@logging_host.digitalairlines.com

Save the file and quit vi.

Reload the syslogd by entering rcsyslog reload

If the receiving computer is already configured to receive log entries, you should see log entries from the sending computer in the console running tail. (You can create log entries by logging in at a terminal window, or by using the program logger.)

(End of Exercise)

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 9-3

SUSE LINUX Security/Self-Study Workbook

Exercise 9-2

Use Argus The purpose of this exercise is to give you an idea how Argus works and how reports are generated. Do the following: 1.

Open a terminal window and su - to root with a password of novell.

Install Argus by entering yast -i argus

Check if the interface set in /etc/sysconfig/argus is correct.

Start Argus by entering rcargus start

Produce different kinds of network traffic, like browsing the web or using SSH to connect to your neighbor.

View the log file by entering ra -r /var/log/argus.log

(optional) Work out filtering rules to limit the output to a certain kind of traffic of your choice.

(End of Exercise)

Workbook 9-4

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

LifeFire Exercise

SECTION 10

LifeFire Exercise

In this section, you get the opportunity to put the various parts covered throughout this course into a comprehensive scenario. It is also intended as part of your preparation for the Novell CLE 9 (Certiﬁed Linux Engineer 9) Practicum exam. You will work with other students in these scenarios to do the following: ■

“Set Up the Application-Level Gateway” on 10-4

■

“Set Up the Screening Router” on 10-5

■

“Set Up a Web Server in the DMZ” on 10-6

■

“Set Up the Mail Server in the LAN” on 10-7

■

“Set Up the VPN Gateway” on 10-8

Remember that skills from all three Novell CLP courses as well as SUSE LINUX Network Services Course 3057 might be necessary to fulﬁll the required tasks. To do these exercises, some of the computers need two NICs and you will need several patch cables and switches or hubs.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 10-1

SUSE LINUX Security/Self-Study Workbook

Scenario Digital Airlines is planning on deploying SUSE LINUX Enterprise Server 9 in its central ďŹ rewall environment. It will consist of application-level gateways, packet ďŹ lters, and remote access via IPSec. As network administrator for Digital Airlines, you worked out the following network layout: Figure 10-1

Workbook 10-2

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

LifeFire Exercise

A separate computer acts as a VPN gateway to allow off site users to connect to the LAN: Figure 10-2

You decide to start by installing a pilot installation in the test lab.

Version 1

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 10-3

SUSE LINUX Security/Self-Study Workbook

Objective 1

Set Up the Application-Level Gateway The following are tasks and requirements that need to be performed on the application level gateway:

Workbook 10-4

■

Set up the network configuration according to the network plan (this will require a switch or hub to connect to the DMZ and the screening router).

■

Configure Squid to allow the clients in the local network to access the World Wide Web using HTTP and HTTPS.

■

Configure a forwarding-only DNS server.

■

Configure a socks server, and configure the clients accordingly.

■

Configure Postfix to accept mail for digitalairlines.com and to forward all mail for that domain to the internal mail server running on 172.16.0.250. From the internal network, mail is only accepted from the internal mail server and relayed to the mail server of the ISP.

■

Write a script to set iptables rules that allow you to access only the above services (squid, socks, mail, dns) and SSH on the application level gateway.

■

Test your configuration.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

LifeFire Exercise

Objective 2

Set Up the Screening Router The following are tasks and requirements that need to be performed on the screening router:

Version 1

■

Install a minimal installation of SUSE LINUX Enterprise Server 9.

■

Set up the network configuration according to the network plan (this will require a switch or hub to connect to the application-level gateway and the DMZ).

■

Write a script that sets iptables rules to allows traffic through the router that originate from legitimate servers running on the application-level gateway or the DMZ computers.

■

The only service on the screening router itself that can be accessible is sshd (from the application-level gateway only). Add this to the iptables script.

■

Configure sshd to allow only public key authentication, no root login.

■

Test your configuration.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 10-5

SUSE LINUX Security/Self-Study Workbook

Objective 3

Set Up a Web Server in the DMZ The following are tasks and requirements that need to be performed on the web server:

Workbook 10-6

■

Set up the network configuration according to the network plan (this will require a switch or hub to connect to the application-level gateway and the screening router).

■

Install a web server offering a test page visible from the Internet as well as the intranet.

■

Make this page accessible via SSL as well (coordinate with the other students on who creates the certificate).

■

Test your configuration.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1

LifeFire Exercise

Objective 4

Set Up the Mail Server in the LAN The following are tasks and requirements that need to be performed on the local mail server:

Version 1

■

Set up the network configuration according to the network plan. The mail server has the IP address 172.16.0.250.

■

Install Postfix as the mail server for the domain digitalairlines.com. It receives mail from the application-level gateway for the users, and the users use it as their mail server to send mail to others.

■

Install qpopper or cyrus-imap for the users to pick up their mail.

■

After the above works, change the configuration to secure SMTP and POP3/IMAP with SSL. This includes setting up a PKI with a RootCA and server certificates (coordinate with the other students on who creates the certificate).

■

Add password authentication to Postfix.

■

Modify Postfix so that it only accepts mail from users who have a valid certificate.

■

Test your configuration.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Workbook 10-7

SUSE LINUX Security/Self-Study Workbook

Objective 5

Set Up the VPN Gateway The following are tasks and requirements that need to be performed on the VPN gateway:

Workbook 10-8

■

Set up the network configuration according to the network plan.

■

Create the necessary certificates for the gateway and a road warrior (or coordinate with the other students on who creates the certificates).

■

Set up the VPN gateway so that road warrior notebooks can access the corporate LAN no matter what IP address they are assigned from their provider.

■

Set up a script to set iptables rules that allow IPSec connections and traffic within the tunnel, but no unencrypted traffic on the interface connected to the Internet.

■

Test your configuration.

Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call 1-800-PIRATES.

Version 1